Improve documentation/add-clarification around the storage options and thier permission enforcement, including notice on roles view

[brynmoorhouse]

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

This is possibly me misunderstanding the feature, or it might be a bug, but I've enabled the following in my .env
STORAGE_TYPE=local_secure
I've verified that all images are being uploaded to storage/uploads (outside the public directory), but yet I can still enter the direct image URL in an incognito tab to view the image. I'd expect that I'd need to be logged in to view the image?

I did find issue #2998, which is the same scenario, apart from I have not set STORAGE_IMAGE_TYPE at all, which if I've read the docs correctly, means that it will use STORAGE_TYPE

Thanks,

Exact BookStack Version

v22.07.3

Log Content

No response

PHP Version

8.1

Hosting Environment

Debian 10, NGINx, PHP 8.1 fpm

[ssddanbrown]

Hi @brynmoorhouse,
Do you have the "Allow public access" setting enabled in the "Settings > Features & Security" area of BookStack?

[brynmoorhouse]

I do, but the page which the image is uploaded to isn't public.

[ssddanbrown]

@brynmoorhouse Yeah, that'll be the cause. This image solution is only enforced when public access is disabled, since this uses the same auth control logic. This is mentioned in our security docs page but maybe we need to also mention this on our file uploads docs page.

[brynmoorhouse]

I've just turned it off and it now requests login. This will work for us for now, but it would be good if we can have that as a feature request - the permissions show that the image access is controlled by the item it's uploaded to, but that doesn't seem to be the case here.

[ssddanbrown]

the permissions show that the image access is controlled by the item it's uploaded to, but that doesn't seem to be the case here.

Yeah, this could do with clarifying I guess on this roles view to avoid insecure assumptions.
The view of images, within the image manager, will be controlled by items they're uploaded to.
Access to the actual image file, is not so controlled via the system, and depends by storage type as discussed above.

but it would be good if we can have that as a feature request

Sure, I haven't had this as a common request here (Can't find existing issue) but has been requested via some other channels.
It's about time we add this as an option, although there will be some caveats/usability concerns. I've started this off in #3693, to be part of the next release.

This issue will remain open, with an aim to clarify the available image security options. I'll update the title for this focus.